Unauthorized Plugin Installation in WordPress Plugins by Inisev
CVE-2023-0958

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Ssl Mixed Content Fix; Duplicate Post; Social Share Icons & Social Share Buttons; Ultimate Posts Widget
Vendor: CVE Published:; 28 July 2023

Summary

Multiple WordPress plugins developed by Inisev are susceptible to a critical weakness that permits authenticated users, even those with minimal permissions, such as subscribers, to install specific plugins without proper authorization. This arises from a lack of capability verification in the function handling plugin installations, leading to potential exploitation and unauthorized control over affected sites. It is crucial for users of these plugins to take immediate action to secure their installations and prevent unwanted access.

Affected Version(s)

Backup Migration * <= 1.2.7

Clone * <= 2.3.7

Duplicate Post * <= 1.3.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/feedburner-alt...

https://plugins.trac.wordpress.org/browser/ultimate-socia...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 28, 2023
Vulnerability Reserved
Feb 22, 2023

Credit

Chloe Chamberland